Posted
by
timothyon Tuesday January 21, 2014 @01:53PM
from the all-eggs-one-basket dept.

cold fjord writes with this excerpt from Computerworld: "[W]hite hat hacker David Kennedy, CEO of TrustedSec, may feel like he's beating his head against a stone wall. Kennedy said, 'I don't understand how we're still discussing whether the website is insecure or not. ... It is insecure — 100 percent.' Kennedy has continually warned that healthcare.gov is insecure. In November, after the website was allegedly 'fixed,' he told Congress it was even more vulnerable to hacking and privacy breaches. ... 'Out of the issues identified last go around, there has been a half of a vulnerability closed out of the 17 previously disclosed ... other security researchers have also identified an additional 20+ exposures on the site.' ... Kennedy said he was able to access 70,000 records within four minutes ... At the House Science and Technology Committee hearing held last week ... elite white hat hackers — Kevin Mitnick, Ed Skoudis, Chris Nickerson, Eric Smith, Chris Gates, John Strand, Kevin Johnson, and Scott White – blasted the website's insecurity. ... Mitnick, the 'world's most famous hacker' testified: '... It would be a hacker's wet dream to break into Healthcare.gov ... A breach may result in massive identity theft never seen before — these databases house information on every U.S. citizen! It's shameful the team that built the Healthcare.gov site implemented minimal, if any, security best practices.'"

Completely agree. This really would be defending the country. If the NSA didn't spy on citizens they could even have provided assistance to private companies and individuals on computer security. Now though, they have lost all trust (by weakening encryption) so no one will ever trust any of their recommendations on security again.

I'm not personally familiar with the database they're using, but it's worth noting that injection attacks work on some noSQL databases too. It all depends on how the data is added and accessed; any language (for even very loosely defined values of "language") that fails to clearly distinguish instructions from data risks the latter being interpreted as the former.

I'm pretty sure that "it shouldn't work and should be easily hackable" were not in the spec. This is just another example of the quality of work you get when governments contract out to private companies.

CGI botched up the long gun registry in Canada in the same way many years ago.

You haven't done much contract work, have you? The government illegally exempted this web site from the usual security checks and procedures, and prioritized some aspects of development so it would "meet schedule" with a less-than-fully-working site. They very much did direct the contractors how to spend resources, and security and quality were nowhere near the top of that list.

I'm pretty sure that "it shouldn't work and should be easily hackable" were not in the spec. This is just another example of the quality of work you get when governments contract out to private companies.

"In the first detailed account of what happened, officials of four contractors involved in the website creation described a convoluted system of multiple companies operating separately under the oversight of CMS, a part of the Department of Health and Human Services. Each said their individual components generally performed as planned after internal testing, but all conceded that CMS failed to conduct sufficient "end-to-end" testing of the entire system before the launch... an end-to-end test conducted within two weeks of the launch caused the system to crash. She said it was up to CMS to decide on proceeding with the rollout."

"... blamed a decision by CMS within two weeks of the launch to require users to fully register in order to browse for health insurance products, instead of being able to get information anonymously, as originally planned."

The preceding should not be interpreted to mean that the contractor did good work. They may have been a problem as well. My point is that government officials were basically sabotaging their project through mismanagement. Inadequate integration testing, last minute changes, launching despite testing showing they were not ready... It appears that politicians were in control.

I'm guessing the specs didn't include "Allow everyone and his kid brother to access other people's personal information as an aid to identity theft." I'm guessing they also didn't include "Crash all the time" and "Fail to actually allow people to sign up for health care."

Here's how I see this general situation:1. Government contracts with company C to do task X.2. Company C, instead of doing X, does the much cheaper Y that looks kind of like X and says they did X.3. Conclusion: Company C defrauded the government, and should be held liable, as well as removed from any future consideration for any government contract.4. Second conclusion: If government continues to do business with Company C or failed to sue the pants off of the company for breach of contract, then the government screwed up (or is corrupt).5. Invalid conclusion: The government screwed up but Company C had nothing to do with it.

You find me a US citizen who has no information in any of the databases that Healthcare.gov connects to. They'd have to have no birth (or death) records, no SS#, no driver's license, no registered vehicles, no house, no legal spouse, never filed a tax return, no credit card, no bank accounts... even in the most backwoods redneck areas of the country, you'd have trouble finding someone that doesn't exist in any government database.

From Homeland Security's website:----------To become a citizen at birth, you must:- Have been born in the United States or certain territories or outlying possessions of the United States, and subject to the jurisdiction of the United States; OR- had a parent or parents who were citizens at the time of your birth (if you were born abroad) and meet other requirements

To become a citizen after birth, you must:- Apply for “derived” or “acquired” citizenship through parents- Apply for nat

If he could access 70,000 in 4 minutes, does that mean he could access 140,000 in 8 minutes? 140k In 5 minutes, 280k in 6 minutes? Or could he only access 70,000 total, and is the time in which he did it irrelevant to the story? These are the interesting questions to ask, because they would actually tell us something significant, and wouldn't smack of a lame attempt to analogize something in terms of football fields (or going 0 to 100 in x seconds).

Disclaimer: I've never been to the site, but I can almost imagine how such a hack might be done, because it's so easy to code a bad webapp:

1. Create an account on the site.2. Log in.3. Notice that your URL ends in something like/showUserProfile?userID=700014. While still in your session, tweak the URL's userID to some other numbers to see if you can bring another user's profile up. If you can, then:5. Automate the grabbing of userIDs 1 through 70000 via a Perl/Python/whatever script.

A properly-designed app would validate the authenticated session against any data it was trying to access. A poorly-designed one would not, and so be vulnerable to this sort of attack.

Yep. I see this all the time. Sometimes it's a little more subtle, though. Like, say, storing that value in a cookie. Most people never look at their cookies, but a web security expert (on either side) is more likely to see the cookies than they are to see the actual site rendering. Or the value might be something that in the abstract is impossible to guess (like 59340341412091985) but if you happen to know your SSN and your birthdate, you might recognize those values in that 17-digit mess (it's even easier if, for example, there's a | character between the parts) and then you can (relatively easily) start guessing other peoples' pairs.

Sometimes it's even more subtle and requires some actual work to get at it, like storing an ID value concatenated with some other garbage like the date in a cookie encrypted with a static key (this one is actually fairly commonly done as a method of generating a token *identifying* the authenticated session, after all, if you don't have the key you can't generate the authentication token, right?). However, if you can guess which bits of that token are the ID (not hard; they're the ones that are the same whenever a given account signs on, but different for every account) you can twiddle the bits and basically brute-force the search space of valid IDs. There are still many ways to make this at least *somewhat* harder to attack, but a lot of developers won't bother... and there are ways to do it *worse*, too, like using an XOR with a constant mask instead of a merely re-using the key with a real cipher.

Good point. I've always been impressed by how hackers can exploit the information gleaned from a very sample interactions with a system to discern the underlying algorithm behind token choice, etc. I saw a step-by-step presentation recently from DEFCON on how the presenter was able to break into someone's social media account, IIRC by whittling down millions or billions of possible authentication tokens to a very small number by a combination of social engineering and sleuthing using the clock time, host IP, etc. I wish I could find it again and post it here; it was dizzying.

The commercial company that built this website was let go from their contract, and without that contract there will likely be firings.

But yes, feel free to tell us about all the firings from the major corporate breaches that happened in the last year. Because if you think this doesn't happen all the time, you're living in a fantasy world.

I get between a few hundred and a few thousand USD for any given contract, and my clients actually expect their software to work. How does one go about getting this much money for a steaming pile of shit?

I get between a few hundred and a few thousand USD for any given contract, and my clients actually expect their software to work. How does one go about getting this much money for a steaming pile of shit?

My first job out of college was working for the Department of Defense as a civilian programmer (I worked for a specific branch of the US military, but I'd prefer not to name it). I can tell you based on what I saw that the answer to your question is "Get a contract awarded to you." My first job was that I was hired to work with a small team trying to finish up a salvage operation on some old IBM hardware that the contractor never completed the project on. We were finishing up making it work after the contractor gave up and gave us the computers. I can't say this with 100% absolute certainty, but the senior guy on the project insisted that the contract got fully paid and the vendor never was sued for giving up on the project without meeting what the project called for. He said they just turned over the computers and the source code for as far as they had gotten and called it a day with Uncle Sam just shrugging his shoulders about it. I learned while working there that literally anything can be justified if it's on a contract. No cost is so high that it can't be justified if it's on a contract between the DoD and a private company. The right wingers unfortunately help to waste US taxpayer money here by insisting that everything there is can be done "cheaper" (ha ha ha) by any private company. Almost all of my DoD career was spent working on various projects where the government reclaimed them from a contractor (sometimes after completion, sometimes when the contractor just gave up on it) and everything was significantly cheaper for us once we took over the projects. So what happens is that unscrupulous vendors bid cheaply on contracts they can't be sure that they can actually complete because they're rarely sued and they can usually get fully paid or close to it for any half-way attempt they make on the project. Nobody on the right ever questions the wisdom of this process because it is "saving money".

OK, so if the site is so damned vulnerable why hasn't it been cracked by a Black Hat yet? Access to this sort of information is the wet dream of most hackers-for-hire. TFA quotes a Government person saying that the site is secure. The White Hat hackers say it isn't. Unless someone is lying about there having been no break-ins yet, then I have a hard time accepting that the site is a plum waiting to be picked by the next script kiddie that comes along. I could see that there would be a desire to cover u

Granted, but I would have expected that this flood of hacked information would be showing up in the black markets somewhere. As I recall, the way we first learned of the Target hack job was because the stolen information was showing up in these markets and was being used. Is there any evidence that this is the case for this treasure trove of information?

Why do you assume it has not been? What makes you think adequate detective controls are in place to even determine if it has or has not? Why do think the Obama administration would tell you if they knew it had, especially if there was not fix in place yet?

You are making an rather huge assumption when you state it hasn't been cracked by a Black Hat. You expect press releases from someone who has taken all the information for their own uses?You are also assuming that anyone incompetent enough to create that abomination is competent enough to notice if they have been hacked.

How do you know it hasn't been? It's not like some Chinese black hat would issue a press release claiming what had been done in that case. Instead, the information would be sat on for a while to distance its release from the slight bump in traffic when the actual breach occurred. Then it would be farmed out, quietly, to third parties looking to engage in identity theft and such. They in turn would probably take it slow; too big a glut of that kind of activity is not only sure to be noticed, it drives down p

If a government website exposes thousands of citizens to high levels of danger, it has to be shut down and not taken back online until it works. He does have the power to take the site off line. Sure, he is not the one coding it, but it's not exactly NORAD. It's a highly broken shopping site. What level of incompetence would he have to display before his supporters would finally agree that he is, in fact, just an empty suit? I want to know where that line is that he cannot cross as far as his supporters are concerned. This is the guy who sold guns to drug dealers to whom the gun dealers wouldn't sell guns because he wanted to create the perception that guns are dangerous (and no, you silly, Bush didn't do the same thing -- Bush considered it and then decided it was a dumb idea and shelved it). Don't even start with "he didn't do it personally". He did -- by the virtue of the fact that his political appointees did it and weren't even fired for it. What is the line he cannot cross? I just want to know what to expect. Or should just settle in and enjoy the surprises?

How many commercial companies would have this much customer data at risk? If Target loses a few million credit card numbers, all consumers have to do to be safe is cancel the card and get a new one... my CC company is doing automatically for anyone that they suspect has been compromised. However, Healthcare.gov has access to SS numbers, addresses, phone numbers, driver's license numbers and God knows what else. Not only is it damned hard to change some of those, but even if you succeed you could be ruined for the rest of your life. There's plenty of people out there who can't get credit or apply for many jobs *for the rest of their life* because of clerical errors and many more who have criminals opening credit in their names (one of the main goals of identity theft) that those people are now liable for. You would hope that they would invest a little more into securing it than a commercial entity would invest in just securing credit card numbers.

I saw nothing in the linked article that indicated 'what' information was pulled for these 70,000 'records'. It could be something as simple as IP information. Simply claiming you hacked a site without providing specifics at to what was extracted isn't all that useful. It makes for good headlines and 'clicks', but not much else.

This is what passes for reporting these days?

Then yesterday, after explaining “passive reconnaissance, which allows us to query and look at how the website operates and perform

The problem with white hat hacking is that the sentence is as long as black hat. Likely the details are deliberately vague to maintain some denyability. And nobody official is acknowledging any weaknesses, let alone detailing what could be lost in a breach. Am I at risk? If so, what of me is?

Also, they had to know a priori this was going to be a *huge* target (no pun intended). Whether for the treasure trove of neatly collected data or a simple political agenda (doesn't even need to be a partisan one; lots of people who voted for Obama hate the ACA and healthcare.gov), it should have been obvious from the very beginning that the scrutiny of this site for security vulnerabilities would be far greater than most, and the costs (to the site developers) of an attacker exploiting one far more severe. Under those circumstances, business-as-usual things like PCI DSS and such should have looked like nothing. They should have hired an entire internal security team to oversee the development of the site starting from the design phase*, and an external penetration testing team to verify it at least once by now.

* Tacking security onto a design that is inherently insecure is expensive and often futile, just as is true of many other kinds of software bugs. Of course, if they'd designed competently in the first place, maybe the site wouldn't already be a laughingstock...

I'm not sure why healthcare.gov needs drivers license numbers, but those others are true of private healthcare companies, who appear to have more leaks than the government at least on this graph. [softpedia.com]

I'm not saying government is more secure, I'm just saying the dangers aren't unique to healthcare.gov.

According to the article, the government is not REQUIRED to tell you about hacking attempts. HIPPA and other laws require that they disclose "hacks"

Second, as Sysadmin for a major healthcare company for 9 years, every single "hack" was the loss of a laptop or hard drive. No one ever "hacked" into the systems for access to data beyond the one account they hacked.

Or you could, I dunno actually call up the credit rating agencies and actually describe the problems. Quite often they can actually help you with your problems, though by the time you get to them, you're generally feeling too irate to appreciate it.

I had collections agencies calling me every few weeks asking for 'insert name here' who apparently bought some crap and put my phone number as the contact info. Well, a company generally shops the collections duties out to a bunch of useless leaches that don't gi

But what is the solution here? Move it to the private sector? You said yourself that the private sector has no experience with that kind of stuff. It's easy to scream.gov sucks, but the private sector will face far bigger problems - including dealing with corporate failure. Will everyone go without insurance just because a corporation failed?

While that is true, customers have the choice to not work with companies that have shown poor security practices. No one can stop paying taxes if they feel the government isn't protecting the information in their tax returns. If the government wants to be trusted with information we wouldn't give to a private company, then they bear a much higher responsibility to keep it secure.

It is similar to how we require police to log every firing of their weapon, while we don't require the same of private gun owners. The fact that we trust the police with power we don't give to normal citizens means they have to be held to a higher level of scrutiny.

But what about the companies who store info on me that I've never done business with? There are plenty of data aggregators out there that have tons of people in databases without any of them ever having done any direct business with them.

Its a false dichotomy because you can never know the inherent security of a company you do business with really. Often these companies are veiled behind the companies you do perform business with anyways, so who's to say that although 'Walmat' may be secure, but maybe their downstream credit merchant bureau has huge leaks, or maybe their third party BI / sales data processing service has some inherent flaw, or... Security isn't as simple as putting the onus on a very complicated problem and just saying 'sure, I trust Walmat with my credit, address, phone', etc..

Ideally all this 'information' will become a lot less valuable (like making the ability to attain credit a lot more difficult than some data entered into a web page) but that'll happen sooner or later, be assured. The Internet's rather new in this respect, and although safeguards help, they are by no means perfect. You could increase the security (which is always a good idea for items of value), but ideally, we just make a credit card number useless. Who cares. Its a 16 digit number. Its the hundreds / thousands of sites accepting that as 'sufficient' for merchant exchanges that make the number important.

The NASDAQ runs as an exchange operation, buying and selling stocks electronically as an exchange. The CBOE does the same thing for options, which have many similar features including risk profiles and such. The International Medical Exchange was a private venture designed to do exactly this kind of work and worked well; it was eventually acquired by Anthem Blue Cross and incorporated into their sign-up system to help match people to the right Blue Cross policies and options.

If you make a claim, fine, but use examples to back up your tear-down of the private sector. Private enterprise historically is far more productive and capable than Government in this kind of venture.

The example you gave - the securites markets - deal only with impersonal numbers. There have been a bit of screw ups in the past (Flash crash for exmaple.), but it's a matter of backing up trades and lecturing member firms and maybe a little slap on the wrist.

No real harm done other than some big Wall Street firms getting dinged a couple million dollars - chump change to them.

With Healthcare.gov, we're dealing with individuals information - individuals who don't have the means to defend themselves legally if or when someone abuses their information.

Sure they would. Not all of them, true, but most. That's not to say they'd be perfect, but they would certainly have done better. Banking websites, despite often having stupid legacy requirements like 8-character passwords or relatively weak SSL ciphers, are routinely designed with vastly better security than is being described here. That's for their own sites; for ones operating under such a high-profile-the-gov-is-paying situation? They'd be idiots not to, and contrary to what it sometimes seems, not many successful companies are actually run by idiots. This whole fiasco has the potential to spell death for this company, and its top people, at least in government circles. They'll be too toxic to touch!

Don't get me wrong, really good web security is hard. There's simple fixes for pretty much every class of problem, but there are a *lot* of possible problems and some of them are pretty un-intuitive. Knowing what security to implement, where, and how to do it is pretty specialized knowledge. In theory, it should be something every web developer knows, of course. In practice, that's not the case at all. Instead, there are a bunch of basic guidelines every code monkey is given, and then there are a handful of experts who oversee the whole thing. Small companies, or those operating on a tight budget of either time or money, may opt to leave that part to some outside experts once the code is already written (I would know; this is what I do) but they still often at least make the attempt.

To go completely without such expertise, on such a high-profile project, though? Pure folly. Even where the implementation of security recommendations is hard (and sometimes it is), the cost of failing to implement them will be much greater, and they really should know that.

At one place I used to work, we had to run our site through an automated testing utility that had over 1000 hack attempts. It found 8 on our site (that had never been hacked to my knowledge). We took care of 6 easily, 1 more without too much effort and finally convinced the powers that be that the 8th one would cost more than they were willing to pay.

Sure, it was a pain, but it really wasn't that hard to secure an additional 7 hack attempts (6 of which I had never heard of, despite all my years in the ind

I think it is important to point out that effectively this was the work of a commercial company. It was contracted out, and the contractor subcontracted and did whatever it wanted at that point. (Sounds like relatively little government oversight of the project was had, considering the massive cleanup effort when it came to light).

I think it would be fair to argue that the government should have been more involved and had more oversight of the project. I actually wish it was developed "in-house" so to speak, and open source (as I think all publicly funded software should be). The government can do great things. Look at NASA. We have(had?) plenty of smart people with the goal to do something awesome. I wish we hired a software/computing/cryptography group like NASA to just go in there and get it done in an awesome manner. I think the government work could have been magnitudes better if it was done this way.

This was a failure on both sides really -- too many government officials that insist the best way to do things is like a private contractor do it (either for ideology or money), and commercial companies more interested in the paycheck than anything else.

I think it is important to point out that effectively this was the work of a commercial company.

No its not. A commercial company would be losing money hand over fist, being sued by customers by the thousands, no one would choose to do business with it, and they would have run out of investment money long ago.

The ONLY way to have a failure of this magnitude is with the unlimited coffers of the government, funded by tax payers with no say in it.

So when a government agency does something good, it's because it outsourced some work to the private sector. If it does something bad, it is because it is a government agency. Did I get that right? For some reason , I smell a variation of the "privatize profits, socialize losses" mantra.

The most common one for contracts is being able to bill on hours spent (either T&M or a cost-plus-whatever contract structure) rather than one deliverables. Inside the government, it's career civil service with little ability to fire people who suck at their jobs (as opposed to breaking bright line rules). Fundamentally, the government itself cannot go out of business, so it lacks the basic motivation of citizens and private enterprise to do things efficiently and effectively.

> Forget the military-industrial complex; sequestration is shutting that down.

ROTFL really? You actually think that is shutting down or that the fake sequestration dance had shit to do with it?

Last year, right before sequestration hit, congress approved massive military spending on all sorts of pork. Sequestration itself was even only a cut in budget increases. Sequestration is very narrowly aimed at making paper cuts look like gaping wounds....and does so with exacting precision.

I mean they closed down parks, did everything they could to make people feel the cuts as much as they could, all the while making no meaningful cut to anything.

I mean they closed down parks, did everything they could to make people feel the cuts as much as they could, all the while making no meaningful cut to anything.

Do remember that it was Obama that "closed down parks" and "did everything they could to make people feel the cuts", not Congress.

Most of the cuts did nothing that would've been noticed by the average citizen, but you can't generate outrage at Congress with barely noticable cuts. So they spent extra money putting traffic cones up blocking sites from which Mount Rushmore could be photographed, and shut off access to the Tomb of the Unknowns (which normally has no restrictions to access - it's in the middle of a lawn).

I disagree. I'm still waiting for the IRS to process a form I sent back in October. I call every couple weeks and they say due to sequestration the customer service staff has been cut and they'll get to it when they get to it. It's driving me crazy.

Funny story about that. The IRS planned to implement the sequester cuts by furloughing [washingtontimes.com], without pay, for five days during 2013. (Each of the 5 days would have been immediately preceding or immediately following a holiday weekend.) By mid July, the IRS "came up with some emergency funding" that they could use to offset the sequester cuts, meaning IRS staff only had to take 3 days without pay.

The sequester cuts were long over by the time you submitted your form in October. The government shutdown is also lo

I'm amazed at how poorly government can handle even modest changes in funding... and not just at the federal level. During the financial crisis, our local school system had a 5% cut, and you would have thought the world had ended. They zeroed out maintenance, fired teachers, cut programs, all to preserve a yet-to-be-negotiated pay raise for the staff. Meanwhile, in my job in the private world we all took a 25% reduction in pay for a while when the company's revenue went suddenly to nearly zero, so my sympathy was not exactly running high.

Mind you, cutting 5% returned them to the previous year's levels. No one could answer my question about how they managed to hold it all together the year before if the funding was "so bad".

You're a fool and clearly never worked in Defense Contracting. I have, at one of the big six, and I can assure sequestration was quite damaging. Layoffs at most industrial centers, cancelations of contracts which led to increased overhead, running up the costs of certain programs and turning them unprofitable, etc.

I worked in the industrial side, building ships. The Navy had to delay several ship procurements, which led to a lack of economies of scale and efficient manufacturing methodology which icnreased cost; our bids were based on a set schedule of production and the delays ramped that up. Other guys building vehicles had programs cut, which lowered the numbers of the base contract subsequently increasing the unit cost of each vehicle, as you have fewer to spread your fixed overhead and industrial manufacturing requires a lot of fixed overhead. Same thing on the aircraft side, and the cutbacks flow down through their subcontractors, laying people off. I have several PhD friends working as civilian researchers for the DoD; their budget was bigger than NASA's entire budget. Most of their programs got cut back, and suddenly a bunch of PhDs were sitting around twiddling their thumbs doing paperwork instead of researching new materials and communications systems; most left for the private sector. Sequestration was a serious blow.

Politically I'm happy it hit; there was too much expansion of the DoD under the last two wars and it needed to be paired back. But with a scalpel, not with the battle-axe that sequestration was.

And even after reading your whole comment, we repeat... AND NOBODY NOTICED.

Congress is currently among the most incompetent and ineffective governining bodies on the planet. It's filled with people in safe seats (no particular effort required to win) and corporate shills who are open about it. The place needs a total purging, but that would require voters to do something other than vote for the same party every single time.

And if you expect anything out of voters these days, good luck with that.